Unix: Rooting out the rootkits

Finding a computer infection that is designed to remain hidden is not easy, but neither is it impossible

Page 2 of 2

It's a good to have a rescue CD or DVD on hand so that you can look at an infected system (or a potentially infected system) without depending on tools or commands that are installed on the system. When a rootkit is likely, all of them are suspect.

Some of the tools and commands you should have on that rescue CD or DVD include chkrootkit -- an open source application for checking for the presence of rootkits and mk5sum. On rpm-based systems, you will also find that the rpm command itself can prove very useful in detecting file changes that can tell you a lot about what files might be involved in your rootkit.

You can get chkrootkit from http://www.chkrootkit.org. It will:

    •  check system binaries for modification
    • check if the network interface is in promiscuous mode
    • analyze lastlog, wtmp and utmp files for potential deletions (also wtmpx on Solaris systems)
    • look for Loadable kernel module trojans

You can use the find command to locate files that have the immutable (sticky) bit set -- something that some rootkits will do to keep the hacked files from being removed. You can also find files with the suid and sgid bits, but this might be less valuable than you might first think since rootkits will be running with root privilege and, thus, don't require this kind of support.

$ find / -type d -perm -1000 -exec ls -ld {} \;

You can also do some clever things with the rpm command. The rpm -V or rpm --verifycommand will show file and metadata changes that have occurred since installation. These commands look at checksums as well as permissions and file sizes Use rpm -Vpackagename to verify a single application. Use the -Va options to check all installed packages.

You can expect to see a sequence of dots like S.5....T followed by the name of a changed file. When you do, you'll know what has changed. Each of the letters between the dots has a particular meaning.

letter     meaning (i.e., what has changed)

======     ================================

  S          file size

  M          mode

  5          MD5 sum

  D          device major/minor numbers

  L          readLink path

  U          user ownership

  G          group ownership

  T          mtime

If you get no output with rpm -V, you can add a lowercase v to see a list of the files being checked. They should be preceded by a string of dots showing that none of the changes described above were detected.

There are many free and commercial tools for detecting and removing rootkits. And any rootkit designer is going to be using them too. The best tool likely depends on the particular rootkit and we are likely to continue to see the game of one-upmanship (rootkit authors trying to outsmart detectors and vice versa) for many years to come.

| 1 2 Page 2